Modern Factoring Algorithms

Home , Coprime integers, Integer factorization, Trial division

Kostas Bimpikis and Ragesh Jaiswal University of California, San Diego

... both Gauss and lesser mathematicians may be justiﬁed in rejoicing that there is one science [number theory] at any rate, and that their own, whose very remoteness from ordinary human activities should keep it gentle and clean. - G.H. Hardy, A Mathematician’s Apology, 1940

Unfortunately for Hardy, nowadays, number theoretic results form the basis of several applica- tions in the ﬁeld of cryptography. In this survey, we will present the most recent approaches on solving the factoring problem. In particular, we will study Pollard’s ρ algorithm, the Quadratic and Number Field Sieve and ﬁnally, we will give a brief overview on factoring in quantum computers.

1. INTRODUCTION The Integer Factorization problem is defined as follows: given a composite integer N, find a non-trivial factor e of N, i.e. find e such that e|N. The most straight- forward method of factoring is√trial division, which, essentially, checks for every prime number√ p, such that p ≤ N, if p|N. However, trial division may take more than O( N) bit operations, which makes it extremely inefficient for the numbers of interest. Before going on with describing the modern ideas for factoring, it would be interesting to give some facts about the history of the problem. Integer factorization is one of the oldest problems in mathematics. Many of the techniques used in modern factoring algorithms date back to ancient Greece (eg. the sieve of Eratosthenes, Euclid’s algorithm for finding the gcd). The great mathematicians of the 17th and 18th century (Fermat, Euler Legendre, Gauss, Jacobi), also, contributed with a number of ideas. But the major breakthroughs happened during the last 30 years, especially after the introduction of public key cryptography, and in particular of the RSA cryptosystem. Specifically, it can be shown that if factoring is solved efficiently, then the RSA cryptosystem would become extremely insecure. That is why, RSA Security, the company behind RSA cryptosystem, provides funding for a factoring competition, the so-called RSA challenge. Interestingly enough, the most recent algorithmic improvements in factoring are closely associated with a RSA challenge number. Factoring is also interesting from a complexity theoretic point of view. Its complexity status hasn’t been resolved yet. Its decision version (”has N a factor less than M?”) is known to belong to both NP and coNP . However, it is suspected that it isn’t NP -complete or coNP -complete, since otherwise this would imply that NP = coNP , which is a rather surprising result. Moreover, it is known to be in BQP (bounded error quantum polynomial time) because of Shor’s algorithm [Shor, 2 · Modern Factoring Algorithms

1994]. This paper is organized as follows: in section 2 we present Pollard’s ρ algorithm, which was the ﬁrst major improvement over the naive trial division algorithm. Then, in section 3 we describe the best two algorithms up to date: quadratic sieve and number ﬁeld sieve. These two algorithms follow the same pattern and that is why we categorize them under the same name: sieve algorithms. In section 4 we present Shor’s algorithm for factoring in quantum computers. Finally, in section 5 we conclude and provide the current status of the factoring problem.

2. POLLARD’S ρ ALGORITHM In 1975 John M. Pollard proposed a very eﬃcient Monte Carlo algorithm for factoring, now known as Pollard’s ρ method. The algorithm is substantially faster than trial division for ﬁnding a small non-trivial factor of a large integer N, if such exists.

2.1 Basic ideas The basic component of Pollard’s ρ algorithm is a sequence of pseudo-random integers constructed in the following way:

x0 = random(0,N − 1) xi = f(xi−1)(mod N), i = 1, 2, ··· where f is a polynomial with integer coefficients, eg. in most practical implemen- tations of the algorithm f(x) = x2 + α, α 6= 0, −2. The intuition behind the algorithm is the following simple observation: suppose that N is the number we would like to factor and d is a non-trivial divisor of it. We further assume that d is small compared to N. Since, there is a smaller number of congruence classes modulo d than modulo N, it is quite probable, that there exist numbers xi and xj, such that: xi ≡ xj mod d and xi 6≡ xj mod N From the above we conclude that d|(xi − xj) and N 6 |(xi − xj), thus, it follows that gcd(xi − xj,N) is a non-trivial divisor of N. Let’s see how we can combine the previous observation with the sequence of integers described above to devise an efficient algorithm to compute a non-trivial factor d of N. First of all, note that, although we don’t know d, we can use the xi’s to get a non-trivial factor of N by simply calculating α = gcd(xi − xj,N) at each step for every xj with j < i. Most of the times α will be equal to 1, but we expect that it won’t take too many steps to find d. The algorithm will become apparent with an example: 2 Let N = 1079 = 13 ∗ 83, f(x) = x − 1 and x0=2. Then the sequence of pseudo-random integers generated by f is the following:

2, 3, 8, 63, 1194, 1186, 177, 814, 996, 310, 396, ···

At each step i of the algorithm we compute gcd(xi − xj,N) for every j < i. In our Modern Factoring Algorithms · 3 case:

gcd(x1 − x0,N) = gcd(3 − 2, 1079) = 1 gcd(x2 − x1,N) = gcd(8 − 3, 1079) = 1 gcd(x2 − x0,N) = gcd(8 − 2, 1079) = 1 gcd(x3 − x2,N) = gcd(63 − 8, 1079) = 1 gcd(x3 − x1,N) = gcd(63 − 3, 1079) = 1 gcd(x3 − x0,N) = gcd(63 − 2, 1079) = 1 gcd(x3 − x2,N) = gcd(1194 − 63, 1079) = 13 The algorithm made only 7 calculations to ﬁnd the divisor 13.

2.2 Improvements Unfortunately, we cannot always guarantee that we will ﬁnd d in such a small number of steps. Therefore, the cost of computing gcd(xi − xj,N) for every j < i becomes prohibitive as i increases. There are a few ways we could improve the algorithm:

—Pollard proposed using Floyd’s cycle-ﬁnding algorithm to reduce the number of steps before two integers are found, such that xi ≡ xj (mod d). To be more speciﬁc, the improved algorithm computes the following gcd’s only:

gcd(x2i − xi,N) i = 1, 2, ···

To see why this works, suppose that xi ≡ xj (mod d). Then, it is easy to see that xi+1 ≡ xj+1 mod d, since xi+1 = f(xi) and xj+1 = f(xj). We can extend this fact to every xi+k ≡ xj+k (mod d) (k=1, 2, ··· ), so eventually there will be an i, such that x2i = xi mod d. So, we conclude that it suﬃces to compute for every i only one gcd (gcd(x2i − xi,N)) instead of i − 1. Also, note that we can exploit the following fact, in order to compute x2i, without using the values xi+1, xi+2, ··· , x2i−1:

y0 = x0 y1 = x2 = f(x1) = f(f(x0)) = f(f(y0)) y2 = x4 = f(x3) = f(f(x2)) = f(f(y1)) . . yi = x2i = f(x2i−1) = f(f(x2i−2)) = f(f(yi−1))

So, this allows us to compute x2i by storing only a single value, namely yi−1. —Another useful trick is instead of performing a gcd operation at every single step, to construct big products and perform a single gcd operation every, say, n steps. In other words, instead of computing gcd(x2i − xi,N) for every i, we perform one gcd computation every n steps (gcd(Qn,N) by setting Qn = n Πi=1(x2i − xi)(mod N). It is easy to see that if gcd(x2i − xi,N) = d > 1, then also gcd(Qn,N) > 1. —Brent proposed a slight modification to Pollard’s ρ algorithm. Specifically, instead of computing gcd(x2i − xi,N) he considers a different set of differences. This modification reduces the running time by 1/4. 4 · Modern Factoring Algorithms

2.3 Running time analysis Suppose that p is a prime divisor of N. Then, we will show that it takes Pollard’s algorithm an expected number of O(p(p)) iterations to find p. In order to prove this statement we will use the birthday paradox (see appendix in [Bellare et al., 2004]). First of all, we assume that the numbers generated by f have a ”random” behavior, i.e. are independently chosen from {0, 1, ··· , p − 1}, which is essential for the birthday paradox to apply in our setting. Suppose that we have the first k numbers of the sequence in hand x1, x2, ··· , xk. Then, according to the birthday paradox, the probability that all these k numbers are distinct (mod p) is equal to the following: 1 2 k − 1 −k2 (1 − )(1 − ) ··· (1 − ) ≈ exp( ) p p p 2p √ From the above we conclude that if k = O( p), then the probability of finding √ the values x2i, xi we are looking for is high. So, we conclude that after O( p) we expect to find p. Each iteration consists of computing xi, x2i = yi and gcd(x2i − xi,N), so we need 3 modular multiplications, 4 modular additions (subtractions are counted as additions) and one gcd operation per iteration. This gives us a running time of 2 O(|N| ) per iteration. We conclude that the total running√ time of Pollard’s ρ √ 2 1 2 method is O( p · |N| ) = O(N 4 · (log N) ), since p ≤ N. Note, that the above proof depends on the assumption that f has a ”random” behavior, which hasn’t been proved formally yet. However, the algorithm seems to work well in practice with f equal to simple quadratic polynomials.

3. SIEVE ALGORITHMS Before moving on with the main idea and the algorithm we need to set up some vocabulary. Definition 3.1. A non-empty set, F of positive prime integers is called a factor base. An integer k is said to be smooth over a factor base F , if all primes occuring in the unique factorization of k into primes, are members of F . 3.1 Difference of Squares Most of the modern factoring algorithms use the basic technique of ”difference of squares”. The idea here is that given a number, N if we find two integers x and y such that x 6≡ ±y (mod N) and: x2 ≡ y2 (mod N) (1) then gcd(x − y, N) and gcd(x + y, N) gives non-trivial factors of N. So, the first idea that comes to mind is why not just guess integers x, y which satisfy 1 and hope that gcd(x − y, N) gives a non-trivial factor of N. If N = pq for some primes p, q then it is easy to show that this happens with probability 2/3. This motivates us to develop factoring algorithms that try to find integers x, y such that the difference of their squares is divisible by N. Using these ideas, let us describe a simple factoring algorithm. Modern Factoring Algorithms · 5

3.2 A Simple Factoring Algorithm

Consider a factor base F = {p1, p2, ..., pm}. We construct a set U = {r1, r2, ..., rn} 2 of integers such that ∀i : f(ri) = ri (mod N) is smooth over the factor base F , or:

2 ei1 ei2 eim ∀i : f(ri) = ri ≡ p1 p2 ...pm (mod N) (2) eij in the above equation is the exponent of pj occuring in the factorization of f(ri). If U has the additional property that: n X ∀j, 1 ≤ j ≤ m : eij = 2 · ei (for some ei ∈ Z) (3) i=1 Then we have: n n Y Y 2 e1 e2 em 2 f(ri) = ri ≡ (p1 · p2 ...pm ) (mod N) (4) i=1 i=1 Now, the integers x, y, we were looking for are simply: n Y x = ri i=1

m Y ei y = pi i=1 From equation 4 we can check that x2 ≡ y2 (mod N). The main issue we are left with, is how to construct a set U as defined above. A way to do this, is by simply guessing > m integers, the squares of which are smooth over F and then picking out a subset U of these, such that equation 3 is satisfied. Picking the right subset U is done as follows: first, each integer r that is picked for consideration, is represented as an m dimensional vector,v ¯, wherev ¯j = ej, where ej is the exponent of the j-th element of the factor base in the integer decomposition of f(r) into primes. The problem of finding U is now simplified to finding a set of vectors, such that their sum mod 2 is the zero vector. This can be easily achieved using linear algebraic techniques, which we do not discuss here. Now, we are in a position to understand the quadratic sieve algorithm which is based more or less on the ideas presented above.

3.3 Quadratic Sieve Algorithm The Quadratic Sieve algorithm was developed by Carl Pomerance and was a popular factoring algorithm in the 1980’s and early 1990’s. In particular, in 1994 the factorization of RSA-129 challenge number was completed using QS. This fact came as a surprise to the community, since RSA-129 was thought to be extremely difficult to factor. The algorithm is mostly the same as the previous one. The difference lies in the 2 2 modification of the function f from f(ri) = ri (mod N) to f(ri) = ri − N. As we will see this change does not effect the logical flow of the previous algorithm, however it significantly improves the algorithm’s running time, because of the fact that, it is a lot faster to check if for some ri, f(ri) is smooth over a factor base. 6 · Modern Factoring Algorithms

The algorithm works as follows:

(1) Fix a factor base F = {p1, p2, ..., pm}. (2) Search for integers r such that f(r) = r2 − N is smooth over F .

(3) Find a subset U = {r1, r2, ..., rn} such that equations 2, 3 and 4 hold for the modiﬁed f. Now we can deﬁne: n Y x = ri i=1

m Y ei y = pi i=1 We can check that x, y satisfy 1:

n n m !2 2 Y 2 Y 2 Y ei 2 x = ri ≡ (ri − N) ≡ pi ≡ y (mod N) (5) i=1 i=1 i=1 To see how the modified f benefited us, let us concentrate on the second step. Previously, in order to check the smoothness of f(r) for a randomly selected r (in a particular range of interest), we would verify that f(r) is divisible by all primes in the factor base F using trial division. Instead, in QS we use a much more efficient approach: we consider each prime p in F and find all the r0s (in the range of interest) for which p divides f(r). This procedure is called the sieving process. Formally, for all integers, r in some range, say [a, b] (the range in which we expect to get more than m integers with smooth f(r)’s) we initialize an array with the corresponding f(r)0s. Next, for every prime p in the factor base, we divide all integers in the array with p (and its powers). We continue this process until we have more than m array locations containing 1. The r0s corresponding to these locations are the ones we are interested in. Its still not very clear as to how the modified f would make the sieving procedure faster compared to the previous function (because the above procedure could have been applied in the simple algorithm too). To see this, let for some integer r, f(r) = 0 (mod p), where p is a prime in the factor base. This implies that r2 −N ≡ 0 (mod p). Then, for any integer k we have (r + kp)2 − N ≡ r2 + 2rkp + k2p2 − N ≡ r2 − N ≡ 0 (mod p) or, f(r + kp) ≡ 0 (mod p). So, in the sieving process, we first solve the quadratic congruence r2 ≡ N (mod p) (which can be done efficiently) and then divide p out from array locations corresponding to r and r + kp for k ∈ Z. This is better than blind trial division because we perform the division only with the array elements, which we apriori know would be divisible by the prime. 3.3.1 Time Complexity. In this subsection we will provide an estimation for the running time of quadratic sieve algorithm. Actually, we will bound the running time of the first algorithm we gave (the simple algorithm). Then, we will see how Modern Factoring Algorithms · 7 much the sieving process of QS improves this bound. For simplicity, we may assume that our factor base consists of all primes ≤ y (the value of y will be determined later). The algorithm consists of three main steps as we have seen:

(1) find (π(y) + 1) integers r1, r2...rπ(y)+1 (where π(y), the number of primes less 2 that y), such that ri (mod N) can be written as a product of primes (and their powers) ≤ y. (2) find a subset U of these numbers, such that the product of these number is a perfect square (mod N). (3) if integers x, y found in this way, are such that x ≡ ±y (mod N) repeat the process. The simple algorithm we presented in the previous subsection uses random guessing as a method to find the integers ri. It can be shown that the probability to 2 find an integer ri, such that ri < N and ri can be written as the product of all −u log N primes ≤ y is approximately equal to u , where u is defined as: u = log y . Thus, we need to randomly guess (π(y) + 1)uu integers, before we find the (π(y) + 1) ri’s. Moreover, the time to test for each such integer if it is smooth over the factor base, is upper bounded by the time to divide it with every prime p in the base, i.e. bounded by O(y · log N · log y), since

—π(y) ≤ y —the primes in the factor base have at most (log y) bits —the randomly guessed have integers at most (log N) bits. So, using the fact that π(y) ≈ y/log y we get that step 1 requires O(uu · logN · y2) bit operations. As far as step 2 is concerned, it involves polynomial operations in y and log N. Therefore, step 2 adds a term O(yh · (log N)s) for integers h, s, to the complexity. Finally, there is a probability of at most 1/2 for this process to fail, i.e. the resulting numbers x, y are such that: x = ±y mod N. So, if we repeat the process, say 100 times, then with high probability we will find a non-trivial factor of N. Therefore, we conclude that the time complexity has the following form: O(100(uu(log N)y2 + yh + (log N)s)) = O(uuyh + (log N)s) Finally, we have to determine y. As we have claimed above the probability of 2 finding a ri such that (ri mod N) can be written as a product of primes ≤ y is u log N −u u , where u = log y . Intuitively, if y is large, then u is large, so with fairly high probability we find the smooth ri’s. However, if y is large then it takes too much time to verify that ri is actually smooth and, in step 2, to find the subset U. On the other hand, if y is small these operations are not so costly, but u−u becomes small, so we would have to try a lot of numbers before we find a ri, that satisfies our conditions. Therefore, we should choose the value of y from an intermediate range. It can be shown (after some simple algebraic calculations) that the appropriate value of y is: √ log N log log N y ≈ e 2k 8 · Modern Factoring Algorithms

Putting all these together, we get the following ”rough” estimate for the time complexity: √ O(eC log Nlog log N ) where C is a constant. The time complexity of QS has the same format. To be more speciﬁc, the expected running time of QS is asymptotically bounded above by: √ O(e(1+) logNloglogN ) for any > 0

3.4 General Number Field Sieve We would like to use the idea of ”difference of squares” to construct the algorithm but would like to make it faster than the previous 2 algorithms. The new idea here here is that we can work with rings other than Z which has the notion of smoothness similar to that defined for Z and hopefully has smooth values. If a mapping exists from such a ring to ZN then we can possibly work out a way to construct a difference of squares. Here is how we might do it. We begin by considering the following fact from algebraic number theory. Fact 3.1. Given a monic, irreducible polynomial f(x) with integer coefficients, a root θ ∈ C of f(x), and an integer m ∈ ZN for which f(m) ≡ 0 (mod N), the mapping φ : Z[θ] → ZN with φ(1) = 1 (mod N) which sends θ to m, is a surjective ring homomorphism. (Z[θ] is a set of all polynomials in θ with integer coefficients) Now using the above fact we construct a difference of squares in the following manner. We find a set, U of integer pairs (a, b) such that: Y Y (a + bθ) = β2 and (a + bm) = z2 (6) (a,b)∈U (a+b)∈U where β ∈ Z[θ] and z ∈ Z. Then using the homomorphism as defined in the fact above, the integer x, y can be defined as: x = φ(β) and y = z We will do a quick sanity check to confirm that this pair produces a difference of squares: Y Y Y x2 ≡ (φ(β))2 ≡ φ(β2) ≡ φ( (a+bθ)) ≡ φ(a+bθ) ≡ (a+bm) ≡ y2 (mod N) a+bθ∈U a+bθ∈U a+bθ∈U The algorithm has similar steps as we had outlined for the previous algorithms. Let us outline the steps and then discuss each step separately:

(1) Fix factor base I in the ring Z[θ] and F in the ring Z. (2) Find integer pairs a, b such that (a+bθ) is smooth over I and φ(a+bθ) ≡ (a+bm) is smooth over F . (3) Find a subset, U of pairs found in the previous step such that equation 6 is satisﬁed. Modern Factoring Algorithms · 9

Let us start with the first step of the algorithm. What do we mean by a factor base in Z[θ]? In Z we have defined it to be a set of prime numbers. It happens that in Z[θ] we can define a factor base as a set of prime ideals of Z[θ] of special form. We will derive this special form as we examine some interesting results from algebraic number theory. 3.4.1 Algebraic Factor Base. To understand the algorithm, we require a lot of results from algebraic number theory. Since our main interest is getting a good picture of the algorithm and the overall logical flow, we will not go forward to prove the results from number theory in this report. Instead we will dwell upon the results to build up the logical structure of the algorithm. Let us begin by setting up some vocabulary. Definition 3.2. Given a monic irreducible polynomial f(x) of degree d with integer coefficients and a root θ ∈ C of f(x), the set of all polynomials in θ with integer coefficients form a ring which is denoted by Z[θ] 1 Definition 3.3. Given an element α ∈ Z[θ], we denote the principle ideal generated by α as < α > Now the very first fact from number theory, that we mention below should make the overall approach clear. Fact 3.2. Ideals of Z[θ] can be uniquely factored, upto to order, into prime ideals of Z[θ]. Using this result we can start thinking of an algorithm in the following manner. We will fix a factor base consisting of prime ideals of Z[θ]. Then we pick up elements a + bθ ∈ Z[θ] for integers a, b such that < a + bθ > is smooth over the factor base.

e1 e2 em < a + bθ >= ρ1 ρ2 ...ρm (7) where ρi is a prime ideal in the factor base and ei is the exponent which is basically a positive integer. Once we have enough such elements the we can possibly multiply a subset of such elements to produce a square in Z[θ]. Remember that we simuta- neously need to produce a square in Z as described in the previous subsection (we will deal with this later). Though the idea is more or less clear we still need to answer some of the following questions: —What is the representation that we would be using for principle ideals and ideals? Is there an easy way to deal with these quantities? —The fact mentioned above just states that a unique factorization exists, but gives no clue of actually getting the factorization i.e. the ideals and the exponents. So is there a way to get the factorization? Are there any special properties of the exponents that can be exploited? Now it so happens that the answer to all the questions lies in the special form of the element a + bθ ∈ Z[θ], that we are considering. There are some nice results about elements of this type which we will exploit to answer the above questions.

1Deﬁnitions of various algebraic terms can be found at http://www.cs.ucsd.edu/users/rjaiswal/WebNotes/Files/algebra.pdf 10 · Modern Factoring Algorithms

Let us roughly sketch our goals at this point, so that we know where we are heading to. It would be good if we can express the factorization of an element a + bθ ∈ Z[θ] in terms of some special prime ideals which have easy representation and for which the exponents can be found easily. At this point of time we can only hope for such things and all our hopes are based on just the fact that we are considering elements of special form. Let us continue by deﬁning useful quantities and stating some interesting results from number theory.

Definition 3.4. Given an element α ∈ Z[θ], the norm of α denoted by N(α) is deﬁned as:

N(α) = g(θ1) · g(θ2)...g(θd) (8) where α = g(θ) (g(θ) is some polynomial in θ with integer coefficients) and θ1, θ2...θd are the roots of the polynomial f(x). Following is an interesting fact related to the norm of an element. Fact 3.3. The norm function as defined in 3.4 is a multiplicative function that maps elements of Z[θ] to elements of Z. Since we are also interested in ideals, let us define the norm for ideals. Definition 3.5. Given a ring R and an ideal I of R, the norm of I is defined to be [R : I], the number of cosets of I in R.

Having deﬁned the norm function for an element of Z[θ] and the norm of an ideal of a ring, consider the following result which relates these two quantities.

Fact 3.4. Let α ∈ Z[θ]. N(< α >) = |N(α)|. Now we deﬁne the special prime ideal that we hinted earlier.

Definition 3.6. A ﬁrst degree prime ideal ρ of Z[θ] is a prime ideal of Z[θ] such that N(ρ) = p for some prime integer p. The special prime ideal as deﬁned above, exhibit the following interesting property.

Theorem 3.1. The set of pairs (r, p) where p is a prime integer and r ∈ Zp with f(r) ≡ 0 (mod p) is in bijective correspondence with the set of all first degree prime ideals of Z[θ]. This result hints at an efficient representation of first degree prime ideals which unfortunately can be made useful only if we show that < a + bθ > is uniquely factored into only the first degree prime ideals. We also do not have a clue right now as to how to get the exponents in the factorization even if the previous condition holds. The following two results should resolve most of the mystery.

Fact 3.5. For every prime ideal ρi of Z[θ], there exists a group homomorphism ∗ lρi : Q(θ) → Z that possesses the following properties. ∗ (1 ) lρi (β) ≥ 0 for all β ∈ Q(θ)

(2 ) lρi (β) > 0 if and only if the ideal ρi divides the principal ideal < β > Modern Factoring Algorithms · 11

(3 ) lρi (β) = 0 for all but a finite number of prime ideals ρi of Z[θ], and |N(β)| = Q lρ (β) N(ρi) i for all prime ideals ρi of Z[θ] Here Q(θ)∗ denotes the multiplicative group of non-zero elements in the field Q(θ) (Q(θ) is a ring consisting of all polynomials in θ with coefficients ∈ Q). Note that if β = a + bθ 6≡ 0, then β ∈ Q(θ)∗ and the above applies. Fact 3.6. Given an element β ∈ Z[θ] of the form β = a+bθ for coprime integers a and b and a prime ideal p of Z[θ], then the homomorphism lρ of 3.5 corresponding to ρ has lρ(β) = 0 if ρ is not a first degree prime ideal of Z[θ]. Furthermore, if ρ is a first degree prime ideal of Z[θ] corresponding to the pair (r, p) as in theorem 3.1, then ord (N(β) ifa ≡ −br (mod p), l (β) = p ρ 0 otherwise. where ordp(N(β)) denotes the exponent of the prime integer p occurring in the unique factorization of the integer N(β) into distinct primes. Having studied all the results above, we are now in a position to put things together and understand the working of the algorithm. Consider an element a+bθ ∈ e1 e2 Z[θ] for co-prime a, b. From 3.2 we can write < a + bθ >= ρ1 ρ2 ... for prime ideals ρ1, ρ2.... From facts 3.4 and 3.5 we have: 0 0 e1 e2 e1 e2 p1 p2 ... = |N(a + bθ)| = N(< a + bθ >) = N(ρ1) N(ρ2) ... (9)

Now from fact 3.6 we get that ei = 0 for ρi which is not a first degree prime ideal of Z[θ]. Also from theorem 3.1 for any first degree prime ideal ρi we have a corresponding pair (r, p) and again from fact 3.6 we get that ei = 0 if a + br 6≡ 0 (mod p). Also, for the remaining first degree prime ideals, the exponent is the exponent of the correponding prime number occuring in the factorization of |N(a + bθ)|. Let us now sum up the results: (1) For co-prime a, b, < a + bθ > can be uniquely factored into only some first degree prime ideals of Z[θ]. (2) The condition for some first degree prime ideal dividing < a + bθ > can be checked easily by considering the corresponding (r, p) pair and checking if a + br ≡ 0 (mod p). (3) The exponents in the above factorization can be obtained by looking at the prime factorization of |N(a + bθ)| 3.4.2 Sieving. With this we come to the second step of the algorithm that we outlined initially. We fix our algebraic factor base I as some set of first degree prime ideals (this is simply represented by the set of pair (r, p) corresponding to each such ideal) and a rational factor base F as a set of primes. We have to find pairs (a, b) such that a + bθ is smooth over I and simultaneously a + bm is smooth over F . When we have enough pairs we can construct the set U such that equation 6 is satisfied. Here is how we generate the pairs. We fix b and consider all a0s in some range such that a and b are co-prime. We initialize an array with the values a + bm. Then we pick a prime, p from our factor base F and check if this divides an array location. This is done by checking if 12 · Modern Factoring Algorithms a ≡ −bm (mod p), but this also implies that a = −bm + kp for integer k. So we can simply go to the array locations corresponsing to these a0s and divide out p from the value stored. We do this for all primes in our factor base F . Finally we pick out the useful pairs by looking for array locations that contain 1. Note that such a pair, to be useful, should also be smooth over I. So we need to sieve based on I simultaneously which is done as follows. As we had initialized the array with a + bm in the previous case, here we initialize another array with N(a + bθ) for the same a, b values. We then pick an (r, p) pair corresponding to a first degree prime ideal ρ ∈ I, and check if a ≡ −rb (mod p) (if so this implies that ρ divides < a + bθ >). If the condition is satisfied then we also have a = −br + kp for integer k. So we can go to the array locations corresponding to these a0s and divide out p from the value in the location. This is repeated for all the elements in I and finally the array location is searched for 1. So the array location which are simultaneously 1 for both the arrays give the required (a, b) pairs. Once we have > max(|F |, |I|) such pairs we can construct a set U of pairs which satisfy equation 6 (using linear algebra techniques as discussed in the simple algorithm). The only thing left now is to define the function f and m. We assume that we are given a number N to be factored in the form we − s. We pick up a small integer d > 0. Given d, let k be the minimum integer such that kd ≥ e. So we have wkd ≡ swkd−e (mod N). Now we put m = wk and c = swkd−e so that md ≡ c (mod N). We define the function f as f(x) = xd − c. We assume that f(x) is irreducible for a reasonable choice of d (since it can be shown that for a non-trivial factor of f we can find a non-trivial factor of N). 3.4.3 Time Complexity. There is only a heuristic analysis for the time complexity of the algorithm. We avoid going into the complex details of the analysis and just mention the expected time. The algorithm runs in expected time exp((c + o(1))(log N)1/3((log log N)2/3) where c is a constant with value ≈ 1.526.

4. SHOR’S QUANTUM FACTORING ALGORITHM A quantum computer is a device that uses quantum phenomena to perform computation. A classical system follows a single computation path while a quantum system uses superposition of states to move along all possible paths and finally end up in one particular state when measured. We begin by understanding some definitions and properties of a quantum system. Definition 4.1. A qubit or a quantum bit is the analog of a bit for quantum computation. A qubit may assume continuum values of the form a|0 > +b|1 >, where a, b are arbitrary complex numbers (known as probability amplitudes) and |0 >, |1 > are the basis states (analog of 0, 1 states in a classical system). Complex numbers a and b satisfies a2 + b2 = 1. Now we look an interesting property that a system of qubits exhibit. Consider a 2 qubit system |ψ >= α00|00 > +α01|01 > +α10|10 > +α11|11 >. Now when the first qubit of this system is observed, the post-measurement quantum state of the system would be the superposition of all the states(present in pre-measurement) which have the first bit same as measured, normalized to unit length. For example if the first qubit is measured to be 0, then the post-measurement quantum state Modern Factoring Algorithms · 13 would be: α |00 > +α |01 > |ψ0 >= 00 01 p 2 2 α00 + α01 Definition 4.2. A Quantum Fourier Transform is defined as:

q−1 FT Zq 1 X |a >−→ ωca|c > (10) q1/2 c=0 where |a > is a basis state (the quantum system with a represented as binary), 0 ≤ a < q for some q where the number of bits of q is polynomial, and ω is the qth root of unity. Some observations about ω that will be helpful later are: 1 + ωj + ω2j + ... + ω(q−1)j = 0 if j 6= 0 (mod q) (11)

1 + ωj + ω2j + ... + ω(q−1)j = q if j = 0 (mod q) (12) The other important thing to note about this transform is that there are efficient quantum circuit made of quantum gates (analogous to classical gates and circuits) that can perform this transform. Now we can start discussing the quantum algorithm. We begin with some number theory basics. Given N (to be factored), consider the multiplicative group ∗ ∗ < ZN , . >. Let r be the order of any randomly chosen element x ∈ ZN . Then we have: xr − 1 ≡ 0 (mod N) ⇒ (xr/2 − 1)(xr/2 + 1) ≡ 0 (mod N) Note that xr/2 − 1 6≡ 0 (mod N) when r is even(else it becomes the order of x). So if (A) r is even and (B) xr/2 + 1 6≡ 0 (mod N), we can compute a non-trivial factor of N by finding gcd(xr/2 − 1,N) (can be done efficiently using the euclid’s algorithm). Now we have reduced the original problem of facoring to the following problem.

∗ (1) Find x ∈ ZN such that properties (A) and (B) are satisﬁed. (2) Find order r of x and compute gcd(xr/2 − 1,N) The following result solves the ﬁrst part of the problem.

∗ Fact 4.1. For randomly chosen x ∈ ZN there is a high probability that properties (A) and (B) are satisfied. So we assume that we are given an x satisfying conditions (A) and (B), and we mainly concentrate on finding r. In this work we will mainly try to understand how the quantum phenomenon helps in giving us r. We consider a simple case when we make the assumption that r divides q, where q is the quantity as in the definition of fourier transform. We start with two quantum registers in the initial state |0 > |0 > 14 · Modern Factoring Algorithms

We apply fourier transform to the ﬁrst register to get a uniform superposition of states. FT Zq √ X |0 > |0 >−→ 1/ q |a > |0 > (13)

a∈Zq We then apply modular exponentiation and raise x to value in the ﬁrst register. Again this can be done using appropriate quantum circuits in polynomial time(the time here is proportional to one modular exponentiation in classical system). We get the state: √ X 1/ q |a > |xa (mod n) > (14)

a∈Zq At this point we observe the second register. Suppose the state observed is xk (mod n). The post-measurement of the system according to the property we mentioned in the beginning of the system would be: 1 1 X √ |b > |xk mod n > (15) q p q/r b k ∀b∈Zq ,st x =x mod n since r is the order of x mod n, b = lr + k 0 ≤ l < q/r. So we have:

√ q/r−1 r X |lr + k > |xk mod n > (16) q l=0 Now we again apply fourier transform to the ﬁrst register to get. √ q/r−1 r X X ω(lr+k)u|u > |xk mod n > (17) q l=0 u∈Zq

√ q/r−1 r X X or, ωku (ωr)lu |u > |xk mod n > (18) q u∈Zq l=0 Now ωr is the q/rth root. From equations 11 and 12 we get that the amplitudes of all states except those where u = 0 mod q/r, cancel out. Only terms with u = 0 mod q/r remain. So ﬁrst register state is: √ r−1 r q X q |l > (19) q r r l=0 We get uniform superposition of all states that are multiples of q/r. With high q q q probability gcd(l, r ) = 1, in such a case gcd(q, l r ) = r . So with high probability q we get r by dividing q by gcd(q, l r ). The case when r 6 |q is dealt with using a little more advanced algebraic techniques but the basic quantum mechanics are the same. To keep things simple we skip this case in our report.

5. CONCLUSION In this survey, we looked into the most recent algorithmic advances in the integer factorization problem. We also stressed out the importance of the problem, by Modern Factoring Algorithms · 15 relating it to the security of the RSA cryptosystem. Currently, the champion of these algorithms is, as mentioned before, the Number Field Sieve, which has been used to factor numbers up to 576 bits long. However, it seems quite improbable that a PC-based implementation of the algorithm can do much better. That is why, other, non-algorithmic methods, have been proposed to improve the eﬃciency of the existing algorithms. The most popular of these new ideas is distributed computing. Speciﬁcally, the huge breakthrough of factoring the RSA-129 challenge number after 17 years, wouldn’t be possible without the help of 600 volunteers, that contributed the idle time of their computers to the project. The second idea is constructing special purpose factoring machines. Adi Shamir and others have shown that using custom hardware for the the sieving process, which is the most computationally intensive step of the Number Field Sieve, could make factoring of 1024-bit long integers tractable. The only drawback of such a machine would be its cost: it would be worth almost 10M $.

REFERENCES Jr. M. S. Manasse A. K. Lenstra, H. W. Lenstra and J. M. Pollard. The number ﬁeld sieve. In Proceedings of the twenty second annual symposium on theory of computing, pages 564–572. ACM Press, 1990. Mihir Bellare and Phillip Rogaway. CSE 207 Course Notes. http://www.cs.ucsd.edu/users/mihir/cse207/index.html, 2004. Matthew Briggs. An Introduction to the General Number Field Sieve. Master’s Thesis, Virginia Tech, 1998. Thomas H. Hungerford. Algebra. Springer-Verlag, 1980. H.W. Lenstra J.P. Buhler and Carl Pomerance. The Development of the Number Field Sieve. Springer, 1994. Neal Koblitz. A Course in Number Theory and Cryptography. Springer, 1994. RSA Laboratories. The RSA Challenge Numbers. Hans Riesel. Prime Numbers and Computer Methods for Factorization. Birkha¨auser, 1985. Peter W. Shor. Algorithms for quantum computation: Discrete logarithms and factoring. In 35th Annual Symposium on Foundations of Computer Science, pages 124–134. IEEE, 1994. Song Y. Yan. Primality Testing and Integer Factorization in Public-Key Cryptography. Kluwer Academic Publishers, 2004.